COURSE of the MONTH

Virus in Exchange Server

Hi,

Just curious to wonder if virus has been contained on our Exchange Server. Before I have installed the Symantec Mail Security for Exchange we have Symantec Antivirus Corporate Edition running on the server. The Corporate edition was useless in detecting viruses in the Exchange Server. Even I did a full system scan excluding the M-drive, the corporate edition still shows the system is clean. Now after installing the Antivirus for the Exchange our server when crazy; detecting all kind of viruses like different variant of Netsky and Beagle viruses. The Antivirus for the Exchange seems to delete the files fine for what every viruses that was generating the alerts. I have tried to do a manual scan on the Exchange Server using the Antivirus for the Exchange a day after now it too is not detecting any virus. Should I say it is safe that our server is now virus free? I have sanned all of the client's computers using the corporate edition and show no sign of virus infection. Is it safe to say that the network is now free of viruses? What can I do to ensure this if I am using both the corporate edition and the antivirus for the exchange to scan and show no sign of infection. What other step do I need to take to gurantee that the server is virus free?

Who is Participating?

I get the feeling the corperate edition can not scan emails in the exchange database which is why it did not pick anything up.
When you are running an exchange server, you need to run a product that is able to access all the mailboxes to scan the emails within the exchange database.

Even though your anti-virus product found viruses on your exchange server, it doesn't mean that your server has actually been infected by the viruses - it's just that the anti-virus product has found infected files that will infect a system if the file is executed.

Since your AV product found loads of infected files on the exchange system I would make sure all your network client machines have been thouroughly scanned and make sure that they have the latest windows and office(if you use MS office) updates.

It might be worth running a different make of Anti virus product on some of the client machines to make sure you are picking up everything - also check your AV definintions are up to date.
I think mcafee have a free virus tool called stinger (you will need to google it since it's quite hard to find on the mcafee site nowadays) Stinger should be used on the client machines and will detect a lot of the major viruses that are out there at the moment.

I use sophos on my server where we have about 50 people on the network - I am very happy with this product as it updates pretty much every hour and rolls out the updates accross the network without me having to do anything.

"... The (norton AV) Corporate edition was useless in detecting viruses in the Exchange Server. " I totaly agree with the statement.
Even if a virus was detected in message, standard NAV CE report for "Action taken" will read: LEFT ALONE . God!!!
_____________________
I'm not at my Server currently so I can't recall exact folder name within MSExchange but there is one that contains word "...BAD" ( note: all uppercase) . You can safely delete all files within that particular folder.There are acctually backup copies of infected messages.
I learned the trick from ProSweep online virus scanner ( http://www.command2.co.uk ) an excellent free handy dandy for my aging Win 2000 Small Business Server capable of scanning even all shared folder on network .
Dealing with Badmailhttp://hellomate.typepad.com/exchange/2003/07/dealing_with_ba.html
Black Holeshttp://hellomate.typepad.com/exchange/2003/07/black_holes_not.html
____________________

Also run Run RootKit Revealer - download it here:http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
(RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender.)
____________________
good luck
nedvis

Just to add a note to nedvis' good advice above:
before you run "Rootkit Revealer"; change it's name to something random and
then run it - something like -domqklyuosde.exe
Some of these rootkits are being configured to block "Rootkit Revealer"! :(
"HackerDefender" in particular.